b'                                        August 1, 2006\n\n\n\n\nMEMORANDUM TO:            Luis A. Reyes\n                          Executive Director for Operations\n\n\n\nFROM:                     Stephen D. Dingbaum/RA/\n                          Assistant Inspector General for Audits\n\n\nSUBJECT:                  AUDIT OF NRC\xe2\x80\x99S IMPLEMENTATION OF HOMELAND\n                          SECURITY PRESIDENTIAL DIRECTIVE-12 (HSPD-12)\n                          (OIG-06-A-20)\n\n\nThis report presents the results of the subject audit. Agency comments provided at the\nexit conference on July 10, 2006, have been incorporated, as appropriate, into this\nreport. The agency did not provide formal comments.\n\nPlease provide information on actions taken or planned on each of the\nrecommendations within 30 days of the date of this memorandum. Actions taken or\nplanned are subject to OIG follow up as stated in Management Directive 6.1.\n\nWe appreciate the courtesies and cooperation extended to us by members of your staff\nduring the audit. If you have any questions or comments about our report, please\ncontact me at 301-415-5915, or Beth Serepca at 415-5911.\n\nAttachment: As stated\n\x0cElectronic Distribution\n\nJohn T. Larkins, Executive Director, Advisory Committee on Reactor\n Safeguards/Advisory Committee on Nuclear Waste\nG. Paul Bollwerk, III, Chief Administrative Judge, Atomic Safety and\n Licensing Board Panel\nKaren D. Cyr, General Counsel\nJohn F. Cordes, Jr., Director, Office of Commission Appellate Adjudication\nJesse L. Funches, Chief Financial Officer\nJanice Dunn Lee, Director, Office of International Programs\nRebecca L. Schmidt, Director, Office of Congressional Affairs\nEliot B. Brenner, Director, Office of Public Affairs\nAnnette Vietti-Cook, Secretary of the Commission\nWilliam F. Kane, Deputy Executive Director for Reactor\n  and Preparedness Programs, OEDO\nMartin J. Virgilio, Deputy Executive Director for Materials, Research,\n  State and Compliance Programs, OEDO\nJacqueline E. Silber, Deputy Executive Director for Information Services\n   and Administration, and Chief Information Officer, OEDO\nWilliam M. Dean, Assistant for Operations, OEDO\nTimothy F. Hagan, Director, Office of Administration\nMichael R. Johnson, Director, Office of Enforcement\nGuy P. Caputo, Director, Office of Investigations\nEdward T. Baker, Director, Office of Information Services\nJames F. McDermott, Director, Office of Human Resources\nCorenthis B. Kelley, Director, Office of Small Business and Civil Rights\nJack R. Strosnider, Director, Office of Nuclear Material Safety and Safeguards\nJames E. Dyer, Director, Office of Nuclear Reactor Regulation\nBrian W. Sheron, Director, Office of Nuclear Regulatory Research\nJanet R. Schlueter, Director, Office of State and Tribal Programs\nRoy P. Zimmerman, Director, Office of Nuclear Security and Incident Response\nSamuel J. Collins, Regional Administrator, Region I\nWilliam D. Travers, Regional Administrator, Region II\nJames L. Caldwell, Regional Administrator, Region III\nBruce S. Mallett, Regional Administrator, Region IV\n\x0c                     AUDIT REPORT\n\n\n\n                       Audit of NRC\xe2\x80\x99s Implementation of\n                        Homeland Security Presidential\n                            Directive-12 (HSPD-12)\n\n                        OIG-06-A-20     August 1, 2006\n\n\n\n\nAll publicly available OIG reports (including this report) are accessible through\n                              NRC\xe2\x80\x99s Web site at:\n             http:/www.nrc.gov/reading-rm/doc-collections/insp-gen/\n\x0c                Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nEXECUTIVE SUMMARY\n\n                BACKGROUND\n\n                President Bush issued Homeland Security Presidential Directive-12\n                (HSPD-12) on August 27, 2004, to address wide variations in the\n                quality and security of forms of identification used to gain access to\n                Federal facilities. This directive ordered the establishment of a\n                mandatory Governmentwide standard for secure and reliable forms\n                of identification to be issued by the Government to its contractors\n                and employees.\n\n                In February 2005, the National Institute of Standards and\n                Technology (NIST) issued Federal Information Processing\n                Standards Publication 201 (FIPS 201), \xe2\x80\x9cPersonal Identity\n                Verification (PIV) of Federal Employees and Contractors.\xe2\x80\x9d This\n                document specifies the requirements for a common identification\n                standard for Federal employees and contractors. In March 2006,\n                NIST issued a revision to FIPS 201. The revised document has the\n                same title as FIPS 201, and is identified as FIPS 201-1.\n                Differences between the two versions are irrelevant to the findings\n                in this report.\n\n                FIPS 201-1 consists of two parts. The first, referred to as PIV-I,\n                sets out uniform requirements for identity proofing (i.e., verifying the\n                identity of individuals applying for official agency badges) as well as\n                issuing badges, maintaining related information, and protecting the\n                privacy of applicants. The second part, known as PIV-II, provides\n                detailed specifications that will support technical interoperability1\n                among Government department and agency personal identity\n                verification systems.\n\n                PURPOSE\n\n                The objective of this audit was to determine whether the Nuclear\n                Regulatory Commission (NRC) is positioned to meet HSPD-12\n                requirements.\n\n                RESULTS IN BRIEF\n\n                NRC implemented a PIV-I process in accordance with the Office of\n                Management and Budget\xe2\x80\x99s (OMB) deadline and is considering\n                options for PIV-II implementation. However, improvements are\n\n1\n  Interoperability is the ability of two or more systems or components to exchange information and\nto use the information exchanged.\n\n\n                                                 i\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nneeded to (1) assure consistent fulfillment of PIV-I requirements\nand (2) strengthen the HSPD-12 working group. In addition to\nthese two audit findings, this report conveys an observation\nconcerning the agency\xe2\x80\x99s approach to PIV-II. This observation,\nwhich appears in Appendix C, addresses the need to document\nPIV-II alternatives to ensure the agency pursues a cost-effective\nsolution.\n\n        PIV-I Process Is Not Always Followed\n\nNRC implemented a PIV-I process within the timeframe required by\nOMB. However, staff do not always follow certain PIV-I\nrequirements contained in NIST guidance or in NRC\xe2\x80\x99s accredited\nPIV-I implementation plan. Auditors identified examples where:\n\n\xc2\xbe The required background investigation was not completed prior\n  to badge issuance.\n\xc2\xbe Required identity documents were not reviewed prior to badge\n  issuance.\n\xc2\xbe Required paperwork was not on file.\n\xc2\xbe The separation-of-duty requirement was not achieved in\n  headquarters because a single individual has the ability to issue\n  a badge without cooperation from any other participant in the\n  process.\n\nThese problems occurred because (1) there is no quality assurance\nmeasure to assure that required steps are met prior to badge\nissuance, (2) some personnel with roles in the process do not\nunderstand their responsibilities, and (3) the badge photograph\nprocess is not carried out in accordance with the accredited plan.\nAs a result, NRC (1) lacks assurance that the PIV-I process is\nconsistently followed and (2) does not achieve the HSPD-12\nseparation-of-duty requirement.\n\n        Strengthen the HSPD-12 Working Group\n\nNRC\xe2\x80\x99s HSPD-12 working group lacks a charter, lacks certain\nexpertise that will be useful to guide the implementation of PIV-II,\nand has limited executive level representation. NRC\xe2\x80\x99s HSPD-12\nworking group is not sufficiently formalized or representative\nbecause Security Branch officials did not recognize the need for\nsuch measures. The development of an appropriate and cost-\neffective PIV-II solution will be facilitated by the efforts of a more\nformalized working group.\n\n\n\n\n                                 ii\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nRECOMMENDATIONS\n\nThis report makes six recommendations to assure PIV-I\nrequirements are fulfilled and to strengthen the HSPD-12 working\ngroup.\n\nAGENCY COMMENTS\n\nDuring an exit conference held July 10, 2006, the agency generally\nagreed with the audit findings and recommendations and provided\ncomments concerning the draft audit report. We modified the\nreport as we determined appropriate in response to these\ncomments. NRC reviewed these modifications and opted not to\nsubmit formal written comments to this final version of the report.\n\n\n\n\n                                 iii\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n\n               [Page intentionally left blank.]\n\n\n\n\n                                 iv\n\x0c                Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nTABLE OF CONTENTS\n\n    EXECUTIVE SUMMARY............................................................................. i\n    ABBREVIATIONS AND ACRONYMS .......................................................vii\n    I.      BACKGROUND ................................................................................. 1\n    II.     PURPOSE.......................................................................................... 8\n    III.    FINDINGS .......................................................................................... 9\n           A.    PIV-I PROCESS IS NOT ALWAYS FOLLOWED ..................................... 9\n           B.    HSPD-12 WORKING GROUP HAS SEVERAL SHORTCOMINGS ........... 17\n    IV.     AGENCY COMMENTS .................................................................... 21\n    V.      CONSOLIDATED LIST OF RECOMMENDATIONS ........................ 22\n\n\n    APPENDICES\n\n\n    A.      PIV-II ARCHITECTURE DIAGRAM ................................................. 23\n\n    B.      SCOPE AND METHODOLOGY ...................................................... 25\n\n    C.      AUDIT OBSERVATION CONCERNING NRC\xe2\x80\x99S PIV-II\n            APPROACH ..................................................................................... 27\n\n    D.      SAMPLE CHARTER \xe2\x80\x93 HOMELAND SECURITY PRESIDENTIAL\n            DIRECTIVE-12 PERSONAL IDENTITY VERIFICATION WORKING\n            GROUP ............................................................................................ 31\n\n\n\n\n                                                     v\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n\n               [Page intentionally left blank.]\n\n\n\n\n                                 vi\n\x0c          Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nABBREVIATIONS AND ACRONYMS\n\n   FBI                    Federal Bureau of Investigation\n   FIPS                   Federal Information Processing Standards Publication\n   GAO                    Government Accountability Office\n   HSPD-12                Homeland Security Presidential Directive-12\n   MD                     Management Directive and Handbook\n   NRC                    Nuclear Regulatory Commission\n   OIG                    Office of the Inspector General\n   OMB                    Office of Management and Budget\n   PIV                    Personal Identity Verification\n\n\n\n\n                                          vii\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n\n                   [Page intentionally left blank.]\n\n\n\n\n                                viii\n\x0c                Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nI. BACKGROUND\n\n                President Bush issued Homeland Security Presidential Directive-12\n                (HSPD-12) on August 27, 2004, to address wide variations in the\n                quality and security of forms of identification used to gain access to\n                Federal facilities. This directive ordered the establishment of a\n                mandatory Governmentwide standard for secure and reliable forms\n                of identification to be issued by the Government to its contractors\n                and employees.\n\n                HSPD-12 assigned specific responsibilities and deadlines to\n                different Government entities. It directed the Secretary of\n                Commerce, within 6 months of the directive\xe2\x80\x99s issuance, to issue a\n                standard for secure and reliable forms of identification that:\n\n                \xc2\xbe Establishes a reliable process for verifying an individual\xe2\x80\x99s\n                  identity.\n                \xc2\xbe Is strongly resistant to identity fraud, tampering, counterfeiting,\n                  and terrorist exploitation.\n                \xc2\xbe Can be verified electronically in an expeditious manner.\n                \xc2\xbe Is distributed only by an authorized provider whose reliability\n                  has been established in an official accreditation process.\n\n                It directed Government departments and agencies to require\n                Federal employees and contractors to use identification that meets\n                the standard to gain physical and logical access to Federal facilities\n                and information systems.2 This was to be accomplished within 8\n                months of the standard\xe2\x80\x99s issuance and to the maximum extent\n                practicable. It directed the Office of Management and Budget\n                (OMB) to ensure compliance with the directive and standard.\n                (See Table 1 for a list of dates related to HSPD-12.)\n\n\n\n\n2\n  Physical access refers to the physical access to the computing systems, facilities, and paper\nrecords. Logical access refers to user based authenticated access to computers, application\nsystems, and the data that is processed.\n\n\n\n                                                 1\n\x0c        Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n\nTable 1. HSPD-12 Dates\n\nAugust 2004       President issues HSPD-12\n\nFebruary 2005     NIST issues FIPS 201\n\nAugust 2005       OMB issues HSPD-12 implementation guidance memo\n\nOctober 2005      Deadline for agency compliance with PIV-I\n\n\nMarch 2006        NIST issues FIPS 201-1\n\n\nOctober 2006      Deadline for agencies to begin issuing HSPD-12 badges\n\n\nOctober 2007      Deadline for agencies to finish issuing HSPD-12 badges\n\n\n        FIPS 201 and 201-1\n\n        In February 2005, the National Institute of Standards and\n        Technology (NIST) (part of the Department of Commerce) issued\n        Federal Information Processing Standards Publication 201 (FIPS\n        201), \xe2\x80\x9cPersonal Identity Verification (PIV) of Federal Employees\n        and Contractors.\xe2\x80\x9d This document specifies the requirements for a\n        common identification standard for Federal employees and\n        contractors. In March 2006, NIST issued a revision to FIPS 201.\n        The revised document has the same title as FIPS 201, and is\n        identified as FIPS 201-1. Differences between the two versions are\n        irrelevant to the findings in this report.\n\n        FIPS 201-1 consists of two parts. The first, referred to as PIV-I,\n        sets out uniform requirements for identity proofing (i.e., verifying the\n        identity of individuals applying for official agency badges) as well as\n        issuing badges, maintaining related information, and protecting the\n        privacy of applicants. Table 2 lists some of the main PIV-I\n        requirements.\n\n\n\n\n                                         2\n\x0c                Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n\n                 Table 2. Selected PIV-I Requirements\n\n\n                     \xc2\x99 Successfully completed background investigation\n\n\n                     \xc2\x99 Two original identification documents\n\n\n                     \xc2\x99 Applicant appears in person prior to badge issuance\n\n\n                     \xc2\x99 Verification, at badge issuance, that the recipient is the\n                       same as the intended recipient\n\n\n                     \xc2\x99 A single individual cannot issue a badge without the\n                       cooperation of another authorized person\n\n\n                     \xc2\x99 Full disclosure to badge recipients of intended uses of\n                       the badge and related privacy implications\n\n\n                The second part, known as PIV-II, provides detailed specifications\n                that will support technical interoperability among Government\n                department and agency personal identity verification systems. This\n                interoperability is based on the use of interoperable smart cards,\n                which are plastic, credit card sized devices that use integrated\n                circuit chips to store and process data. Smart cards offer the\n                potential to enhance security by improving the process of\n                authenticating the identity of people accessing Federal buildings\n                and computer systems, especially when used in combination with\n                other technologies, such as biometrics.3\n\n\n\n\n3\n  A biometric measures a person\xe2\x80\x99s unique physical characteristics (e.g., fingerprints, hand\ngeometry) or behavioral characteristics (e.g., voice patterns, written signatures) and can be used\nto recognize the identity, or verify the claimed identity, of an individual.\n\n\n                                                 3\n\x0c               Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n               PIV-II Minimum Requirements\n\n               Although FIPS 201-1 describes the minimum requirements to\n               allow interoperability of the PIV smart cards for physical and\n               logical access, it does not prescribe the extent to which\n               agencies should use the cards for such purposes. According\n               to FIPS 201-1, it is up to Federal departments and agencies to\n               determine the level of security and authentication mechanisms\n               appropriate for their applications. As explained by a NIST\n               official, the FIPS standard and its associated guidelines\n               specify what is to be on the card in order to support a range of\n               physical and logical access control mechanisms, but do not\n               specify what mechanisms should be employed.\n\n               Table 3 lists some of the minimum requirements for a PIV-II\n               compliant system.4 Also see Appendix A for an architectural\n               diagram of components that may be included in a PIV-II system.\n\n\n\n\n4\n These requirements appeared on an OMB HSPD-12 reporting template that Federal agencies\nwere required to complete and submit to OMB for review and approval. Federal agencies were\nasked to provide a status and planned completion date for each of these requirements.\n\n\n                                                4\n\x0c   Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n\nTable 3. Selected PIV-II Requirements\n\n\n  \xc2\x99 Badges are issued through systems and providers whose\n    reliability has been established by the agency through a self-\n    accreditation process.\n\n\n  \xc2\x99 All agency badges are issued with FIPS 201 visible external\n    security features.\n\n\n  \xc2\x99 All agency badges are issued with FIPS 201 electronic security\n    features.\n\n\n  \xc2\x99 Agency employees and contractors routinely use these\n    electronic security features to gain access to facilities and/or\n    systems (or to authenticate identity).\n\n\n  \xc2\x99 Badges contain a biometric and can be electronically\n    authenticated to the holder using a biometric match.\n\n\n  \xc2\x99 Badges have the capability to be electronically verified to\n    determine the employee/contractor is in good standing (i.e.,\n    badge has not been revoked).\n\n\n   OMB Guidance\n\n   In August 2005, OMB issued HSPD-12 implementation guidance\n   for Federal departments and agencies. This guidance directed\n   agencies to implement PIV-I requirements by October 27, 2005. It\n   also directed agencies to begin issuing HSPD-12 badges that meet\n   PIV-II requirements by October 27, 2006, to employees and\n   contractors needing routine access to Federal facilities or\n   information systems for more than 6 months. OMB mandated that\n   departments and agencies use only products and services that are\n   approved as compliant with the FIPS standard and are included on\n   an approved products list.\n\n\n\n\n                                    5\n\x0c                Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n                Current Status of HSPD-12 Implementation\n\n                In February 2006, the Government Accountability Office (GAO)\n                reported that the Federal Government faces significant challenges\n                in implementing the FIPS 201 standard, including:\n\n                \xc2\xbe Testing and acquiring compliant commercial products, such as\n                  smart cards and card readers within OMB-mandated deadlines.\n\n                \xc2\xbe Reconciling divergent implementation specifications.\n\n                \xc2\xbe Incomplete guidance regarding the applicability of the standard\n                  to facilities, people, and information systems.\n\n                \xc2\xbe Planning and budgeting with uncertain knowledge and the\n                  potential for substantial cost increases.\n\n                The report also assessed the progress of six agencies \xe2\x80\x93 the\n                Departments of Defense, the Interior, Homeland Security, Housing\n                and Urban Development, and Labor, and the National Aeronautics\n                and Space Administration \xe2\x80\x93 in implementing PIV-I and PIV-II.\n                GAO found that the six agencies had focused primarily on PIV-I\n                and had begun to address PIV-II, but had not developed specific\n                designs for card systems that met FIPS 201 interoperability\n                requirements. Five of the six agencies reported that they had made\n                little progress toward implementing PIV-II due largely to the\n                absence of FIPS 201 compliant products.5\n\n                NRC\xe2\x80\x99s Progress\n\n                The Nuclear Regulatory Commission (NRC) implemented a PIV-I\n                process on October 27, 2005, in compliance with OMB\xe2\x80\x99s deadline.\n                The agency\xe2\x80\x99s PIV-I process establishes five PIV-I roles: (1)\n                applicant, (2) PIV sponsor, (3) PIV registrar, (4) I-9 document\n                certification authority, and (5) PIV issuer. Table 4 provides\n                information on each of these roles.\n\n                Implementation of the PIV-I process did not require major\n                adjustments to NRC\xe2\x80\x99s existing personnel security program, which\n                already required all employees and contractors to undergo\n                background investigations prior to being permitted unescorted\n                access within NRC facilities. The main changes are that (1)\n                employees and contractors now must present two specific forms of\n\n5\n GAO-06-178, Electronic Government \xe2\x80\x93 Agencies Face Challenges in Implementing New\nFederal Employee Identification Standard, was published in February 2006, prior to the issuance\nof FIPS 201-1.\n\n\n                                                 6\n\x0c            Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n            original identification documents prior to being issued a badge and\n            (2) some contractors undergo a higher level background\n            investigation than previously was required. Also, due to HSPD-12\xe2\x80\x99s\n            separation-of-duty requirement (i.e., that no single individual may\n            issue a badge without the cooperation of another authorized\n            individual), there are more people involved in the badging process\n            than before.\n\n\nTable 4. HSPD 12 Roles and Descriptions\n\n\nHSPD-12 Role                                      Description\n\n\nApplicant                                         The contractor or employee to whom a\n                                                  badge is issued.\n\nPIV Sponsor (performed by the Office              The individual who validates an\nof Human Resources)                               applicant\xe2\x80\x99s requirement for a PIV\n                                                  badge and sponsors the applicant\xe2\x80\x99s\n                                                  request.\n\n\nPIV Registrar (performed by                       The individual or entity that performs\ndesignated staff in the headquarters              the identity-proofing process for the\nSecurity Branch)                                  applicant and ensures that the proper\n                                                  background checks have taken place\n                                                  with positive results. The PIV registrar\n                                                  has the final approval authority for\n                                                  issuance of a badge to an applicant.\n\n\nI-9 Document Certification Authority              The individual who assists the PIV\n(performed by designated staff in                 registrar by performing the identity-\nheadquarters, the regional offices, and           proofing process for the applicant.\nat resident inspector sites)\n\n\nPIV Issuer (performed by designated               The individual or entity that issues a\nheadquarters Security Branch staff and            badge to an applicant following the\nsecurity guards, regional office, and             positive completion of all identity\nresident inspector site staff)                    proofing, background checks, and\n                                                  related approvals.\n\n\n\n\n                                             7\n\x0c         Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n      The PIV-II process is expected to bring more visible changes to NRC\xe2\x80\x99s\n      process. In October 2005, the Commission approved the NRC staff\xe2\x80\x99s\n      plan for implementing PIV-II in a timeframe acceptable to OMB.\n      According to NRC staff, implementing NRC\xe2\x80\x99s planned PIV-II approach,\n      which exceeds PIV-II minimum requirements, would cost $10.2 million.\n      Further, it would serve to enhance the agency\xe2\x80\x99s physical and\n      personnel security capabilities. The plan includes:\n\n         \xc2\xbe Perimeter access control devices at headquarters and regional\n           entry points to read the HSPD-12 badge, verify its authenticity,\n           and allow access.\n\n         \xc2\xbe Logical access readers for all employee and contractor\n           workstations in headquarters and regional offices.\n\n         \xc2\xbe Fingerprint and photo capture stations in headquarters and\n           regional offices.\n\n         \xc2\xbe Badge encoders in headquarters and regional offices and badge\n           printers in headquarters.\n\n         \xc2\xbe Turnstiles for headquarters lobbies.\n\n         \xc2\xbe A new automated system to support HSPD-12, personnel\n           security, and physical security requirements.\n\n         As part of its implementation efforts, NRC established an NRC\n         HSPD-12 working group composed of 13 individuals from the\n         Offices of Administration and Information Services that meets\n         periodically to discuss developments and concerns related to\n         implementation of PIV-II at NRC.\n\nII. PURPOSE\n\n         The objective of this audit was to determine whether NRC is\n         positioned to meet HSPD-12 requirements. Appendix B contains\n         information on the audit scope and methodology.\n\n\n\n\n                                          8\n\x0c           Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nIII. FINDINGS\n\n           NRC implemented a PIV-I process in accordance with OMB\xe2\x80\x99s\n           deadline and is considering options for PIV-II implementation.\n           However, improvements are needed to (1) assure consistent\n           fulfillment of PIV-I requirements and (2) strengthen the HSPD-12\n           working group. In addition to these two audit findings, this report\n           conveys an observation concerning the agency\xe2\x80\x99s approach to PIV-\n           II. This observation, which appears in Appendix C, addresses the\n           need to document PIV-II alternatives to ensure the agency pursues\n           a cost-effective solution.\n\n  A.   PIV-I Process Is Not Always Followed\n\n           NRC implemented a PIV-I process within the timeframe required by\n           OMB. However, staff do not always follow certain PIV-I\n           requirements contained in NIST guidance or in NRC\xe2\x80\x99s accredited\n           PIV-I implementation plan. Auditors identified examples where:\n\n           \xc2\xbe The required background investigation was not completed prior\n             to badge issuance.\n\n           \xc2\xbe Required identity documents were not reviewed prior to badge\n             issuance.\n\n           \xc2\xbe Required paperwork was not on file.\n\n           \xc2\xbe The separation-of-duty requirement was not achieved in\n             headquarters because a single individual has the ability to issue\n             a badge without cooperation from any other participant in the\n             process.\n\n           These problems occurred because (1) there is no quality assurance\n           measure to assure that required steps are met prior to badge\n           issuance, (2) some personnel with roles in the process do not\n           understand their responsibilities, and (3) the badge photograph\n           process is not carried out in accordance with the accredited plan.\n           As a result, NRC (1) lacks assurance that the PIV-I process is\n           consistently followed and (2) does not achieve the HSPD-12\n           separation-of-duty requirement.\n\n\n\n\n                                            9\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nNIST and NRC Requirements\n\nFIPS 201-1 specifies the minimum requirements for a Federal\npersonal identity verification system that meets HSPD-12\xe2\x80\x99s control\nand security objectives. According to FIPS 201-1, departments and\nagencies are to adopt and use a self-accredited process for\nverifying applicant identities and issuing and maintaining applicant\nbadges. Departments and agencies are required to accredit their\nprocess by determining that it satisfies requirements, and the head\nof the entity is to approve the process in writing.\n\nThese requirements fall into three categories: (1) identity proofing\nand registration requirements used to verify the identity of the\nemployee or contractor; (2) badge issuance and maintenance\nrequirements pertaining to badge production and issuance to the\nemployee or contractor; and (3) privacy requirements intended to\nprotect the personal privacy of employees and contractors subject\nto HSPD-12 requirements. Requirements include the following:\n\n\xc2\xbe A minimum background investigation must be completed prior to\n  badge issuance. FIPS 201-1 requires that the Federal Bureau\n  of Investigation (FBI) National Criminal History Fingerprint\n  Check, which is one component of the National Agency Check,\n  be completed before badge issuance.\n\n\xc2\xbe The employee or contractor must provide two forms of original\n  identity documents. These documents must come from the list\n  of acceptable documents in Department of Homeland Security\n  Form I-9, Employment Eligibility Verification. (See Table 5 for\n  examples of acceptable I-9 documents.)\n\n\xc2\xbe PIV applicants must be fully informed as to the intended uses of\n  the badge and the related privacy implications.\n\n\xc2\xbe The PIV identity proofing, registration, and issuance process\n  must adhere to the separation-of-duty requirement to ensure\n  that no single individual has the capability to issue a badge\n  without the cooperation of another authorized person.\n\nNRC\xe2\x80\x99s accredited PIV-I process describes an approach that meets\nFIPS 201-1 requirements, including those listed in the previous\nparagraph. The process establishes specific PIV-I roles. For\nexample, PIV registrars in the Security Branch at headquarters are\nresponsible for ensuring that the necessary background\ninvestigation is complete and reviewing the two original I-9\ndocuments prior to badge issuance. In the regional offices and at\n\n\n\n                                10\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nresident inspector sites, this role is assisted by I-9 document\ncertification authorities, who review the two original I-9 documents\nand certify to the headquarters registrars that the documents are\nappropriate and authentic. PIV issuers in the regional offices,\nresident inspector sites, and headquarters issue badges to the\nemployee or contractor after all prerequisites are met.\n\n\n Table 5. Examples of I-9 Documents\n\n     \xc2\x99   U.S. Passport, expired or unexpired\n     \xc2\x99   Unexpired foreign passport\n     \xc2\x99   Certificate of U.S. Citizenship\n     \xc2\x99   Certificate of Naturalization\n     \xc2\x99   Driver\xe2\x80\x99s license\n     \xc2\x99   Federal, State, or local government identification\n         card\n     \xc2\x99   School ID card\n     \xc2\x99   Voter\xe2\x80\x99s registration card\n     \xc2\x99   U.S. Social Security card\n     \xc2\x99   U.S. military card or draft record\n     \xc2\x99   U.S. citizen identification card\n\n\nNRC\xe2\x80\x99s Process Was Not Always Followed\n\nNRC\xe2\x80\x99s PIV-I process was not consistently followed in that:\n\n\xc2\xbe The required background investigation was not always\n  completed prior to badge issuance.\n\n\xc2\xbe Two forms of I-9 documents were not always reviewed prior to\n  badge issuance.\n\n\xc2\xbe The form indicating that the applicant was notified of privacy\n  implications was not always on file.\n\n\xc2\xbe At headquarters, the separation-of-duty requirement was not\n  met. The issuer, who takes the photographs for headquarters\n  employees and contractors and issues badges to these\n  individuals, has the ability to issue a badge without cooperation\n  from any other participant in the process. In contrast,\n  separation of duties occurs in the NRC regional offices because\n  the badge photographs are taken in the regional offices and the\n  badges are produced at headquarters.\n\n\n\n\n                                11\n\x0c                            Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n                                    Background Investigation\n\n                           Auditors conducted a file review to assess how well the PIV-I\n                           process was followed for 72 employees and 4 contractors hired\n                           during the first 4 months that the process was implemented and\n                           identified two instances where the required background check was\n                           not complete prior to badge issuance. In one case, the FBI\n                           National Criminal History Fingerprint Check had not been returned\n                           and in the other case, the fingerprint check was returned, but not all\n                           components of the National Agency Check were complete. Both\n                           instances occurred during the period of time when both FIPS 201\n                           and NRC\xe2\x80\x99s accredited PIV-I plan required the return of the National\n                           Agency Check.6\n\n\n                              Figure 1. File Review Results\n                                     (based on 76 files reviewed)\n\n\n                     Tw o I-9 Copies on\n                                                                                            83%\n                             File\n    Area of Focus\n\n\n\n\n                        Privacy Form\n                                                                                            84%\n                      Signature on File\n\n\n\n                    PIV Sheet Complete            14%\n\n\n                                      0%          20%         40%         60%         80%         100%\n\n                                                      Percentage Complete\n\n\n                                    I-9 Documentation\n\n                           Two indicators suggested inconsistency with regard to the review of\n                           two I-9 documents for each applicant. First, auditors found three\n                           examples where contractors were required to present only one I-9\n                           document for review prior to badge issuance. Second, auditors\n                           identified 10 employee files that did not contain copies of two I-9\n                           documents. Of the 10 incomplete employee files, 8 contained no\n\n6\n  Prior to March 2006, under the original FIPS 201, the required investigation was the National\nAgency Check. Now, however, the revised FIPS 201-1 requires that only one component of the\nNational Agency Check \xe2\x80\x93 the FBI National Criminal History Fingerprint Check \xe2\x80\x93 be completed\nbefore badge issuance. NRC issued revision 1 of its accredited PIV-I plan on March 24, 2006,\nafter OIG identified cases where badges had been issued prior to the return of the fingerprint\ncheck. The revised document states that badges may be issued following return of the fingerprint\ncheck.\n\n\n                                                            12\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nI-9 document copies at all. The three contractor examples provide\nactual cases where the process was not followed, whereas the\nabsence of documents in the other files suggests other occasions\nwhere the process may not have been followed. While the absence\nof documents in the files does not prove definitively that the\ndocuments were not reviewed, it likewise does not prove that the\ndocuments were reviewed. To ensure consistency, copies of two\nI-9 documents should be included in each file. See Figure 1 on\npage 12 for information on the file review results.\n\n        Privacy Form\n\nTo verify that applicants are informed about the privacy issues\nrelevant to the PIV-I process, applicants are asked to review a\nPrivacy Act statement concerning the badge issuance process and\nto sign a form acknowledging their review of the statement. The\nSecurity Branch maintains some of these forms in individual\npersonnel security folders and others in a binder used specifically\nto store these forms.\n\nDuring the file review, auditors could not locate signed forms for 12\nindividuals in either location. Although the absence of these\ndocuments does not prove that applicants were not informed about\nthe Privacy Act concerns, it does not provide assurance that the\nappropriate step occurred.\n\n        Separation of Duties\n\nNRC\xe2\x80\x99s PIV-I process specifies that photographs for employees and\ncontractors are to be taken by PIV registrars in headquarters and\nby the I-9 certification authorities in the regional offices and at\nresident inspector sites. However, this requirement is not fulfilled in\nheadquarters, where the issuers, and not the registrars, take the\nphotographs. Because it is the headquarters issuers who also\nproduce the badges and issue them to headquarters employees,\nthese individuals have the capability of creating and issuing badges\nwithout the input from any other individual with a role in the\nprocess.\n\nSeparation of duties does occur in the regional offices because\nwhile the badge photographs are taken in those locations, the\nbadge production occurs at headquarters.\n\n\n\n\n                                13\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nProcess Adjustments Are Needed\n\nThese problems occurred because:\n\n\xc2\xbe There is no quality assurance measure to assure that required\n  steps are met prior to badge issuance.\n\n\xc2\xbe Some with roles in the process do not understand their\n  responsibilities.\n\n\xc2\xbe The badge photograph process is not carried out in accordance\n  with the accredited plan.\n\n   Quality Assurance Measure Is Absent\n\nNRC has issued badges to employees who did not complete the\nprerequisites to badge issuance because there is no quality\nassurance measure in the process to ensure all necessary steps\nare completed prior to issuance. No individual is assigned the task\nof reviewing all prerequisite steps prior to sending the signal to the\nbadge creators that a badge is now warranted.\n\nCurrently, the notification to the headquarters issuers to produce\nand issue a badge is signaled by the transmittal of NRC Form 236,\n\xe2\x80\x9cPersonnel Security Clearance Request and Notification,\xe2\x80\x9d for\nemployees and NRC Form 89, \xe2\x80\x9cBadge Request,\xe2\x80\x9d for contractors.\nBoth forms are used to provide information to the Security Branch\nas to what type of clearance or access is needed. Although each\nform is completed by a Security Branch official and forwarded to the\nissuers from the Security Branch, neither form provides information\nconcerning the status of the PIV-I process (e.g., background\ninvestigation complete, two I-9 documents provided) to indicate that\nall necessary prerequisites are complete.\n\nThe Security Branch developed and uses a Personal Identity\nVerification Sheet to track the PIV-I process. This form, which is\nmaintained in the personnel security files, is often incomplete, and\ntherefore not a useful indicator of whether prerequisite steps were\naccomplished. Of the 76 verification sheets reviewed during the\naudit, only 11 were completely filled out. If the Security Branch\nwere to require completion of the form, this would be a useful tool\nto review as a quality control measure prior to badge issuance.\n\n\n\n\n                                14\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n        Lack of Understanding of Responsibilities\n\nAnother reason staff do not consistently follow the PIV-I process is\nthat some individuals with roles in the process do not fully\nunderstand their responsibilities. In headquarters, five individuals\nwith the registrar role expressed or demonstrated\nmisunderstandings about such aspects of the process as:\n\n\xc2\xbe How contractors are handled.\n\n\xc2\xbe The type of background investigation needed prior to badge\n  issuance.\n\n\xc2\xbe Whether unescorted access is permitted prior to provision of two\n  I-9 documents.\n\n\xc2\xbe Whether issuers need to review copies of two I-9 documents\n  prior to badge issuance.\n\nRegional staff with HSPD-12 roles were generally less familiar with\ntheir responsibilities than headquarters staff due to the small\nnumber of regional staff and contractors hired for those locations\nsince October 27, 2005 (the date NRC implemented its PIV-I\nprocess). Three of seven regional employees contacted by the\nOffice of the Inspector General (OIG) had not received formal\ntraining on their role and two had not received any written\nguidance. Moreover, one individual incorrectly thought that the\nHSPD-12 process for regional contractors would be handled\nentirely by headquarters.\n\n        Process for Badge Photographs Does Not Follow Plan\n\nSeparation of duties is not achieved in headquarters because staff\nare not following the process described in the accredited PIV-I plan\nwhich assigns badge photographs to the registrar. Allowing issuers\nto take the photographs and produce and issue the badges gives\nthem the ability to single-handedly produce badges without input\nfrom anyone else in the process. A Security Branch official said\nthey have prepared an area within their office space to allow\nheadquarters registrars to take the photos, but have yet to\nimplement this process.\n\nDuring the audit exit conference, an NRC official said the Security\nBranch registrars had begun taking the badge photographs and\nthat this task was no longer being performed by the headquarters\nissuers.\n\n\n\n                                15\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n\nNo Assurance That Process Is Followed\n\nNRC lacks assurance that its PIV-I process is consistently followed\nand does not achieve the HSPD-12 separation-of-duty requirement.\nImplementing measures to assure the process is followed and\nimposing the separation-of-duty requirement will assist the Security\nBranch Chief in his ongoing HSPD-12 responsibility to ensure that\nbadges are produced and issued in accordance with requirements.\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n1. Assign an individual or individuals to ensure that all PIV-I\n   requirements are met prior to initiating a request to the issuer to\n   produce and issue a badge.\n\n2. Require completion of the Personal Identity Verification Sheet to\n   track the PIV-I process and use this form to initiate the badge\n   request.\n\n3. Provide NRC-specific HSPD-12 training to all individuals with\n   roles in the process to ensure they understand their\n   responsibilities and the process overall. This training should\n   include the provision of written guidance, such as checklists of\n   responsibilities, to all individuals with roles in the process.\n\n4. Implement rules for separation-of-duty with regard to badge\n   photographs.\n\n\n\n\n                                16\n\x0c         Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nB.   HSPD-12 Working Group Has Several Shortcomings\n\n         NRC\xe2\x80\x99s HSPD-12 working group lacks a charter, lacks certain\n         expertise that will be useful to guide the implementation of PIV-II,\n         and has limited executive level representation. NRC\xe2\x80\x99s HSPD-12\n         working group is not sufficiently formalized or representative\n         because Security Branch officials did not recognize the need for\n         such measures. The development of an appropriate and cost-\n         effective PIV-II solution will be facilitated by the efforts of a more\n         formalized working group.\n\n         Working Groups\n\n         Important agency projects benefit from formalized working groups.\n         Membership should include all NRC offices whose business\n         processes will be affected by project implementation. Working\n         groups can be critical to project development and implementation if\n         their mission and member roles and responsibilities are clear to all\n         parties. The importance of formalizing working groups is noted in\n         two NRC Management Directives and Handbooks (MD) and by\n         existing practice.\n\n                 MDs 5.3 and 6.3\n\n         MD 5.3, \xe2\x80\x9cNRC/Agreement State Working Groups,\xe2\x80\x9d describes the\n         steps and process the staff should follow in establishing and\n         implementing NRC/Agreement State working groups. MD 6.3, \xe2\x80\x9cThe\n         Rulemaking Process,\xe2\x80\x9d specifies guidance for working groups\n         tasked with supporting the rulemaking process.\n\n         Although these MDs focus on specific working groups, the\n         guidance is applicable to other projects. For example, MD 5.3\n         describes the information that should be included in a working\n         group\xe2\x80\x99s charter, such as purpose, membership, schedule, and\n         expected product/outcome of the working group. MD 5.3 states\n         that the lead organization usually assumes lead responsibility for\n         the working group, including establishing the purpose of the\n         working group, requesting participation, drafting a charter,\n         identifying members, and tracking progress. This guidance also\n         explains that working group members should be active in\n         recommending improvements and should understand how their\n         contributions are used in the process and products.\n\n         MD 6.3 specifies guidance for working groups tasked with meeting\n         agency rulemaking objectives. Membership should include (1) a\n         task leader from the lead office, (2) members from within the lead\n\n\n                                         17\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\noffice that have program responsibilities related to the rulemaking,\n(3) a member from the Office of the General Counsel to provide\nlegal advice and support, and (4) staff from other offices, as\nappropriate.\n\n        Working Group Examples\n\nThe role of working groups has been defined in various internal and\nexternal efforts. Current NRC working groups include the\nManagement Directives Working Group, the High-Level Waste -\nInformation Support Program Executive Steering Committee, and\nRulemaking Working Groups. Working groups such as these have\nestablished charters and consist of executive, management, and\nstaff representatives from a range of NRC offices. In addition, two\nagencies interviewed during the course of this audit have\nestablished working groups to promote HSPD-12 implementation.\nAppendix D contains a sample of an HDPD-12 working group\ncharter provided by another Federal agency.\n\nHSPD-12 Not Sufficiently Formalized\n\nThe project to implement HSPD-12 is not benefiting from the input\nof a structured, formalized working group. Specifically, NRC\xe2\x80\x99s\nHSPD-12 working group:\n\n\xc2\xbe Has not established a charter.\n\n\xc2\xbe Lacks some expertise that will be needed to guide the\n  implementation of PIV-II.\n\n\xc2\xbe Has limited executive level management representation.\n\n        Charter Not Established\n\nNRC\xe2\x80\x99s HSPD-12 working group has not established a charter\ndefining its purpose, mission, roles and responsibilities, and\nproducts. In addition, there are no formal records documenting\nmeeting agenda or minutes or status of unresolved issues.\n\n        Lacks Certain Expertise\n\nThe current HSPD-12 working group lacks certain expertise that will\nbe useful to guide the implementation of PIV-II and does not\nrepresent all NRC offices whose business processes will be\naffected when PIV-II is being implemented.\n\n\n\n\n                                18\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nThe current HSPD-12 working group does not include\nrepresentation from offices outside the Office of Information\nServices and the Office of Administration, and also does not include\nsome expertise from within these offices needed to facilitate a PIV-\nII solution. For example, there is no representative from the\nDivision of Contracts to help with acquisition strategy, no\nrepresentative from the Office of the General Counsel to provide\nlegal advice concerning a PIV-II solution, and no representative\nfrom the Office of the Chief Financial Officer to assist with financial\nissues. In addition, the Office of Information Services staff person\nwho was instrumental in costing out and encouraging the PIV-II\nplanning approach is not a working group member.\n\n        Limited Executive Level Management Involvement\n\nNRC\xe2\x80\x99s HSPD-12 working group has limited executive level\nmanagement representation. The HSPD-12 working group is\ncomposed of 12 NRC employees and 1 contractor. Although the\nmajority of the participants are grade 13 or above, only one\nmember is a senior level executive and this individual, from the\nOffice of Information Services, rarely attends the working group\nmeetings.\n\nNeed For Structure Not Recognized\n\nThe absence of an HSPD-12 working group charter, limited\nexecutive level management, or diverse intra-agency\nrepresentation within the HSPD-12 working group occurred\nbecause Security Branch staff did not recognize the need for input\nfrom such a group during the initial phase of HSPD-12\nimplementation. The Security Branch developed the PIV-I plan\ninternally and involved other offices only for the PIV-I accreditation\nprocess. However, for PIV-II development and implementation, the\ninput from a formalized working group will be increasingly important\nto complete these more technical tasks that will affect the business\nprocesses of all NRC offices.\n\nFacilitation of Cost-Effective Solution\n\nThe development of an appropriate and cost-effective PIV-II\nsolution will be facilitated by the efforts of a more formalized\nworking group.\n\n\n\n\n                                19\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nRecommendations\n\nOIG recommends that the Executive Director for Operations:\n\n5. Expand the HSPD-12 working group by including representation\n   from all offices needed to facilitate a cost-effective PIV-II\n   solution.\n\n6. Formalize the HSPD-12 working group by developing a charter\n   that defines the membership and expectations.\n\n\n\n\n                                20\n\x0c        Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nIV. AGENCY COMMENTS\n\n        During an exit conference held July 10, 2006, the agency generally\n        agreed with the audit findings and recommendations and provided\n        comments concerning the draft audit report. We modified the\n        report as we determined appropriate in response to these\n        comments. NRC reviewed these modifications and opted not to\n        submit formal written comments to this final version of the report.\n\n\n\n\n                                        21\n\x0c        Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\nV. CONSOLIDATED LIST OF RECOMMENDATIONS\n\n        OIG recommends that the Executive Director for Operations:\n\n        1. Assign an individual or individuals to ensure that all PIV-I\n           requirements are met prior to initiating a request to the issuer to\n           produce and issue a badge.\n\n        2. Require completion of the Personal Identity Verification Sheet to\n           track the PIV-I process and use this form to initiate the badge\n           request.\n\n        3. Provide NRC-specific HSPD-12 training to all individuals with\n           roles in the process to ensure they understand their\n           responsibilities and the process overall. This training should\n           include the provision of written guidance, such as checklists of\n           responsibilities, to all individuals with roles in the process.\n\n        4. Implement rules for separation-of-duty with regard to badge\n           photographs.\n\n        5. Expand the HSPD-12 working group by including representation\n           from all offices needed to facilitate a cost-effective PIV-II\n           solution.\n\n        6. Formalize the HSPD-12 working group by developing a charter\n           that defines the membership and expectations.\n\n\n\n\n                                        22\n\x0c              Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n                                                                                  APPENDIX A\n                         PIV-II ARCHITECTURE DIAGRAM\n\nThe Architecture Diagram (page 24) provides a high-level overview of the\ncomponents required to implement a FIPS 201 compliant system. The system\ncomponents are as follows:\n\n   \xe2\x80\xa2   The Identity Management System (IDMS) is the central component that\n       interacts either directly or indirectly with all other components of the PIV-II\n       Architecture.\n\n   \xe2\x80\xa2   Registration stations are used to identity proof applicants and capture their\n       biometrics for use in conducting background investigations and printing\n       information on the PIV card.\n\n   \xe2\x80\xa2   The public key infrastructure (PKI) component of the system will issue\n       digital certificates, manage the keys associated with those certificates, and\n       maintain up to date information on certificate status.\n\n   \xe2\x80\xa2   The card management system (CMS) is used to manage card lifecycle\n       activities. The CMS interfaces with the IDMS as well as the certificate\n       authority, card printing station, and the PIV card itself. The CMS will be\n       used to manage the issuance and printing of a PIV card and the public key\n       infrastructure certificate associated with that card.\n\n   \xe2\x80\xa2   The card printing system (CPS) will manage the printing and distribution of\n       the actual PIV cards. Card printing and distribution will interface directly\n       with the CMS and the applicant and indirectly with PKI, and IDMS.\n\n   \xe2\x80\xa2   Employee Data serves as the authoritative data source for providing\n       information to the IDMS. All applicant information must first be present in\n       the Employee data system before it is available to the IDMS; no applicant\n       information will be entered directly into the IDMS.\n\n   \xe2\x80\xa2   Office of Personnel Management (OPM) will conduct all applicant\n       background investigations and forward results to the appropriate agency\n       for adjudication. The FBI will be responsible for conducting fingerprint\n       checks against its fingerprint database as a component of all background\n       investigations.\n\n   \xe2\x80\xa2   Logical Access Control Systems (LACS) will interface with PIV cards to\n       provide cardholders access to federally controlled networks and\n       information systems.\n\n   \xe2\x80\xa2   Physical Access Control Systems (PACS) will interface with PIV cards to\n       provide cardholders access to federally controlled facilities.\n\n\n                                              23\n\x0c                                   Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n\nHSPD-12 Core Components\n   PKI Certificate\n     Authority\n          PKI                                                            Personnel Management\n                                              Sponsor                          Systems\n                                               Role\n\n\n\n                Key Mgt.                                               Employees                 Affiliates\n    CRL\n                                                                                   Contractors\n                                                                                                                     Adjudicator\n                                                                                                                        Role\n         Certificate\n         authority                                                                                                          Interface with                             Finger Print\n                                                                                                                              Background                                  Check                         FBI\n                                                    IDMS                                                                     Investigation                      OPM\n                                                                            Interface with Personnel                           Systems\n                                                                             Management Systems\n                   In\n                       te\n                          ra\n                             c\n                           tio\n                               n\n\n\n\n\n             CMS                                                                                                                 Registration                                                  Applicant\n\n\n                                                                                                                                                                                      Biometrics\n                                                                                                                                                                  Camera\n\n                                                                                                                                          Card\n                                                                                                                                         Reader\n                                                                                       IDM DB\n                                                                                                              Interaction                                                                           Source\n                                      CMS         Interaction\n                                                                                                                                                                      Document                     Documents\n                                                                                                                                                                       Scanner\n                                                                                                                                          Registration\n                                                                                                                                            WKS               Finger Print\n                                                                                                                                                                Scanner\n                           OCSP                                                App\n                                                                                                                                             Registration\n                         Responder                                                         Reporting                                                                                       Registrar\n                                                                              Server\n                                                                                                                                                                                             Role\n                             n\n                           io\n                           t\n                      r ac\n                   te\n\n\n\n\n CPS\n                  In\n\n\n\n\n                                                                 Interfaces with Logical\n                                                                                                                    Interface with Physical\n                                                                Access Control Systems\n                                                                                                                   Access Control Systems\n\n\n\n                                                                                 LACS                                   PACS\n                                                                                                                                     C\n       Card Printing\n\n\n                                                                                      SSO                                   Reader\n                                                   WKS            Card Reader      Directories                                                      PACS DB\n     Card Distribution\n\n\n\n\n                                                                                       24\n\x0c       Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n                                                                                 Appendix B\nSCOPE AND METHODOLOGY\n\n       Auditors evaluated whether NRC is positioned to meet HSPD-12\n       requirements.\n\n       The OIG audit team reviewed relevant criteria, including HSPD-12,\n       OMB guidance concerning HSPD-12, and NIST guidance,\n       including FIPS 201 and FIPS 201-1. The audit team also reviewed\n       NRC\xe2\x80\x99s documentation of its accredited PIV-I process as well as\n       correspondence between NRC and OMB concerning HSPD-12\n       funding.\n\n       Auditors interviewed staff from the Office of Information Services\n       and the Office of Administration concerning HSPD-12\n       implementation. Auditors interviewed regional and headquarters\n       staff with roles in NRC\xe2\x80\x99s HSPD-12 process to assess their\n       understanding of the process. Auditors also interviewed\n       representatives from the Office of Personnel Management and the\n       National Archives and Records Administration to learn about their\n       implementation of HSPD-12 and communicated with staff from\n       OMB and NIST concerning HSPD-12 requirements.\n\n       Auditors compared NRC\xe2\x80\x99s accredited HSPD-12 process with FIPS\n       201-1 and with OMB requirements, and observed aspects of the\n       process as implemented in headquarters to assess whether the\n       NRC\xe2\x80\x99s process and procedures met HSPD-12 objectives. Auditors\n       also reviewed 76 personnel security files for both NRC employees\n       and contractors with Entry on Duty dates of October 27, 2005,\n       through February 28, 2006.\n\n       This work was conducted from December 2005 through March\n       2006, in accordance with generally accepted Government auditing\n       standards and included a review of management controls related to\n       audit objectives. The work was conducted by Beth Serepca, Team\n       Leader; Judy Gordon, Audit Manager; Vicki Foster, Senior\n       Management Analyst; and Erica Horn, Auditor.\n\n\n\n\n                                       25\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n\n               [Page intentionally left blank.]\n\n\n\n\n                                26\n\x0c                   Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n                                                                                             Appendix C\n\n\nAUDIT OBSERVATION CONCERNING NRC\xe2\x80\x99S PIV-II APPROACH\n\n                   NRC, like other Federal agencies, is challenged to meet OMB\n                   implementation deadlines because approved products are not yet\n                   available, uncertainty persists over basic requirements, and\n                   additional money was not provided to implement HSPD-12. Given\n                   the lack of products or additional resources, and a Governmentwide\n                   initiative to look for cost-effective ways to implement HSPD-12,\n                   NRC has an opportunity to consider less expensive options than\n                   the agency initially envisioned in its $10.2 million PIV-II budget\n                   estimate. That budget estimate reflects a PIV-II plan that goes\n                   beyond minimum PIV-II requirements and does not take advantage\n                   of opportunities to share resources with other agencies.\n\n                   While agency officials explained that they are continually\n                   considering alternative approaches, and have shifted their plan with\n                   regard to an OMB deadline, they had not documented such\n                   alternatives until recently. During the audit exit conference, NRC\n                   managers informed OIG that the $10.2-million approach was no\n                   longer the only documented approach under consideration. They\n                   explained that in May 2006 (after fieldwork on this audit was\n                   complete), the Office of Administration presented estimated costs\n                   for alternative approaches, including the use of a shared service\n                   provider, to NRC\xe2\x80\x99s Program Review Committee for consideration in\n                   the agency\xe2\x80\x99s budget process.\n\n                   OMB Deadlines\n\n                   OMB established October 27, 2006, as the date that Federal\n                   agencies are to begin issuing PIV-II badges and October 27, 2007,\n                   as the point at which compliant badges are to have been issued to\n                   all employees and contractors. At NRC\xe2\x80\x99s request, OMB allowed\n                   NRC a more generous timetable for compliance. Under the NRC\n                   plan that OMB approved, NRC proposed to begin issuing badges\n                   on September 28, 2007, and finish issuance by February 28, 2008.\n\n                   NRC\xe2\x80\x99s Schedule\n\n                   Because no additional funding was provided to NRC for HSPD-12\n                   implementation, and because approved HSPD-12 products were\n                   not available earlier this year as anticipated,7 NRC does not intend\n                   to meet the OMB-approved dates. Instead, the agency intends to\n\n7\n    As of the drafting of this report, approved, HSPD-12 compliant products were still unavailable.\n\n\n                                                   27\n\x0c                 Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n                revert to a prior timeline that OMB disapproved. Under that plan,\n                the agency proposed to begin issuing compliant badges in\n                November 2008. However, a Security Branch official said that NRC\n                would issue a single badge in October 2006 to fulfill OMB\xe2\x80\x99s\n                requirement to begin issuing PIV-II compliant cards at that time.\n\n                NRC\xe2\x80\x99s PIV-II Plans\n\n                While agency officials explained that they are continually\n                considering alternative approaches to a $10.2 million PIV-II plan\n                that they developed, they have not, until recently, documented\n                these alternatives.\n\n                The $10.2 million plan, which is documented and which served as\n                the basis for the timeline approved by OMB, reflects an approach\n                that may be warranted to strengthen security at NRC. This plan\n                exceeds minimum HSPD-12 requirements by including logical\n                access readers on every employee\xe2\x80\x99s workstation, lobby turnstiles,\n                fingerprint authenticators, a new badge access system, a new\n                personnel security system, and in-house badge manufacturing\n                capabilities. (See the Background section of this report for\n                information on minimum requirements.)\n\n                Security Branch officials\xe2\x80\x99 perspectives toward the documented\n                approach have shifted over time. At the start of this audit, a\n                Security Branch official explained that this solution was desirable\n                because it would allow employees to have one badge access card\n                instead of two (e.g., one for NRC access and one that is HSPD-12\n                compliant) and would eliminate the need to \xe2\x80\x9csneakernet\xe2\x80\x9d8 data from\n                the personnel security database to the badge access database.\n                The official also said that in-house badging capability was desirable\n                because it would prevent inconveniencing NRC staff whom, under\n                a shared resources approach (e.g., relying on another agency\xe2\x80\x99s\n                badge manufacturing capabilities), would have to commute to an\n                offsite location to obtain initial and replacement badges.\n\n                More recently, however, a Security Branch official described the\n                $10.2 plan as an outside guess based on the \xe2\x80\x9cworst case\xe2\x80\x9d in that it\n                allows for all possibilities and the uncertainties in terms of product\n                availability and cost. This official explained that the Security\n                Branch is considering alternative approaches, including the sharing\n                of resources with other agencies. Although NRC officials are\n                contemplating alternatives to the $10.2 million approach\n\n8\n Sneakernet is a term used to describe the practice of sharing data by copying files to floppy\ndiskettes, and walking them to another part of the office to load them onto another computer. It is\na way of sharing data and files in the absence of a local area network.\n\n\n                                                 28\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\ndocumented to support the plan and schedule approved by OMB,\nthe agency has only recently begun to document these alternatives.\n\nBy continuing to document the alternative approaches to PIV-II that\nare currently under consideration, and the timelines and costs for\nimplementing these approaches, NRC will be better positioned to\npursue a cost-effective course of action.\n\n\n\n\n                                29\n\x0cAudit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n\n               [Page intentionally left blank.]\n\n\n\n\n                                30\n\x0c               Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n                                                                                         Appendix D\n\n\n                                   SAMPLE CHARTER\n\n            HOMELAND SECURITY PRESIDENTIAL DIRECTIVE-12\n           PERSONAL IDENTITY VERIFICATION WORKING GROUP\n\n\nThe Personal Identity Verification (PIV) Working Group is a stakeholders working\ngroup supported by voluntary participation from the key NRC organizations\nimpacted by PIV implementation.\n\n\n1.    Mission.\n\nThe Personal Identity Verification (PIV) Working Group is designed to support\ncollaborative implementation of Homeland Security Presidential Directive-12\n(HSPD-12), ensuring that the agencywide personal identity program meets the\ncontrol and security objectives of HSPD-12, to include identity proofing,\nregistration and issuance.\n\n\n2.    Scope.\n\nThe PIV Working Group supports the agency\xe2\x80\x99s PIV implementation efforts by:\n\n      a.     Serving in an advisory capacity.\n\n      b.     Facilitating integration among stakeholder departments to promote\n             proper selection and use of the best available equipment and\n             procedures to optimize safety, interoperability, and efficiency.\n\n      c.     Identifying technical, physical security, and facilities requirements\n             for PIV implementation.\n\n      d.     Providing a catalyst for recommendations to the Interagency\n             Advisory Board (IAB) on interoperability solutions between Federal\n             agencies.\n\n      e.     Establishing policy and procedures for the operation and\n             maintenance of the agency\xe2\x80\x99s PIV program.\n\n\n\n\n                                               31\n\x0c             Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n                                 SAMPLE CHARTER\n\n            HOMELAND SECURITY PRESIDENTIAL DIRECTIVE-12\n           PERSONAL IDENTITY VERIFICATION WORKING GROUP\n\n\n3.    Organizational Structure and Responsibilities.\n\n      a.     Chairman \xe2\x80\x93 The PIV Working Group Chairman is                  and\n             Co-Chairs are                  ; all of the Division            . The\n             Chairman is selected by default as part of the position description\n             of the PIV Physical Security Specialist. The Chairman\xe2\x80\x99s term starts\n             at EOD and ends when this individual transitions out of the position.\n\nThe Chairman administers, organizes, and facilitates the actions of the PIV\nWorking Group.\n\nThe Chairman provides recommendations to the Executive Stakeholders\nCommittee through the                           .\n\n      b.     Working Group Membership\n\nSubGroups/ Co-Chairs\n\nSubGroups\xe2\x80\x93 The PIV Working Group has five SubGroups which consist of\nsubject matter experts:\n             1.     Physical Security\n             2.     Information Systems\n             3.     Contracting and Facilities\n             4.     Human Capital\n             5.     Executive Stakeholders\n\nSubGroups will send Primary and /or Backup representatives to act as Co-chairs.\n\n\nThe duties of SubGroup/Committee Co-Chairs are to:\n\n      a.     Direct the efforts within their sub-groups to accomplish the scope of\n             PIV working group activities, to support overall PIV implementation\n             and maintenance.\n\n      b.     Provide liaison with the PIV Working Group Chairman.\n\n      c.     Provide meeting minutes, status of ongoing projects, and written\n             reports of recommendations and requirements from the SubGroup.\n\n\n\n\n                                             32\n\x0c             Audit of NRC\xe2\x80\x99s Implementation of Homeland Security Presidential Directive-12 (HSPD-12)\n\n\n\n\n                                 SAMPLE CHARTER\n\n            HOMELAND SECURITY PRESIDENTIAL DIRECTIVE-12\n           PERSONAL IDENTITY VERIFICATION WORKING GROUP\n\n      d.     Chairs to review membership participation and to ensure SubGroup\n             membership represents the interest across the entire agency.\n\nInteragency Advisory Board (IAB) \xe2\x80\x93 A coordination committee outside of the\nagency, to which the agency sends representatives, that provides the interface\nbetween the OMB and sponsoring Federal Government agencies. The IAB\nconsists of Federal officials from contributing agencies and departments. The\nIAB shall:\n\n      a.     Coordinate and leverage ongoing federal research, development,\n             testing and evaluation (RDT&E) efforts to meet the HSPD-12\n             requirements as identified by OMB.\n\n      b.     Solicit and coordinate mission support which includes activities\n             such as organizational staff support, contributory funding, project\n             sponsors, meetings, technical support, the IAB business cycle, and\n             resulting products.\n\n      c.     Meet to coordinate Federal requirements.\n\n      d.     Attend general membership meetings.\n\n4.    Execution.\n\n      The Working Group shall conduct its mission during weekly meetings.\n      The co-chair will provide a meeting agenda no later than three business\n      days prior to the weekly meeting. The co-chair will record the issues\n      addressed during each weekly meeting.\n\n\n\n\n                                             33\n\x0c'